When a state agency puts out a software procurement RFP, "SOC 2 Type II certified" often appears as a checkbox requirement. The vendor checks it. The procurement team checks it off. Nobody asks what was actually in scope.
That's a problem. SOC 2 Type II is a real and meaningful certification, but it's flexible enough that two vendors can both hold it while having dramatically different security postures. Understanding what's actually being attested to requires asking a few specific questions that don't show up in standard vendor questionnaires.
What SOC 2 Type II Actually Tells You
SOC 2 is a framework created by the AICPA (American Institute of Certified Public Accountants). Type II specifically means the auditor didn't just inspect the company's controls at a single point in time. They tested whether those controls actually operated effectively over a period, typically six to twelve months. That's significantly more rigorous than Type I.
The framework is organized around five Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Vendors choose which criteria to include. A vendor with SOC 2 Type II covering only the Security TSC has a narrower attestation than one covering Security, Availability, and Confidentiality.
Scope also matters enormously. A report that covers only the vendor's internal corporate IT systems is very different from one that explicitly includes the production environment your agency's data will live in.
The SOC 2 report tells the story, if you read it. You're entitled to ask for the full report — not just a summary letter or a badge on a vendor's website.
Questions Agencies Should Ask Before Signing
The SOC 2 report itself tells the story, if you read it. You're entitled to request a copy of the full report (the "Type II report" with auditor opinion and description of controls tested), not just a summary letter or a badge on a vendor's website.
Start with scope: does the report explicitly cover the production systems, data centers, and cloud infrastructure that will handle your data? Ask the vendor which cloud provider and regions are included.
Ask about the audit period. A report issued in November 2025 covering April through October 2025 is current. A report issued in November 2023 is not, regardless of when it's presented to you. Ask when the next audit is scheduled.
Ask which Trust Services Criteria are in scope. If you're handling personally identifiable information or medical data, you want to see the Confidentiality TSC included. For a system your agency will depend on operationally, Availability matters too.
Ask about exceptions. Auditors note "exceptions" when a tested control didn't operate effectively during the period. A few minor exceptions with documented remediation plans are normal. A pattern of repeated exceptions in the same control areas is a warning sign.
Finally, ask whether the report covers subservice organizations. Many SaaS vendors use cloud infrastructure providers, backup vendors, or third-party authentication services. If those are "carved out" of the report, the vendor isn't attesting to the controls those providers have in place. You may want their reports too.
Why This Matters for Government Applications
State and local government software handles data that carries specific legal obligations: HIPAA for medical data, PII protection requirements that vary by state, and in some cases federal data handling standards depending on the program.
SOC 2 doesn't replace those obligations. It's a general commercial standard. An agency handling medical cannabis patient records, for example, needs more than a security controls audit. It needs a vendor that has signed a Business Associate Agreement (BAA), uses encryption that meets applicable standards, and can demonstrate data residency within the United States.
The certification is a starting point. It means the vendor takes security controls seriously enough to hire an independent auditor to test them. But a thorough vendor evaluation still requires reviewing the actual report, understanding what's in scope, and confirming the certification covers what it says it does.
cloudPWR's Approach
cloudPWR holds SOC 2 Type II certification covering its production infrastructure on Microsoft Azure. The certification covers security controls for data handling in our government-facing applications, including AIRLIFT Connect.
We're also a GovRAMP member, the state and local government counterpart to the federal FedRAMP program. We operate under signed BAAs for applications handling health-related data.
When agencies ask to review our SOC 2 report, the answer is yes. We want procurement teams asking the right questions. An agency that scrutinizes vendor security certifications is doing exactly what it should, and it's a good indicator of a thoughtful technology partner.
If you're evaluating document integration software and want to walk through our compliance posture, contact the cloudPWR team.